Updating firmware on mac
In addition to the paper, we’re also pleased to be able to release some of the tooling and APIs we have developed during this work with the aim of helping Apple Mac users and admins get better visibility to the state of the EFI their Mac systems are running and any potential problems there may be.
This blog post summarizes some of the main areas of the research and interesting things we found during our analysis and acts as an accessible introduction to the technical paper which can be downloaded from the link below.
These mappings provided us with an oracle that, when it was given the OS version and Mac model as inputs, it would provide the version of EFI that system be running.
We could then compare the EFI version we expect a system to be running against the EFI version we actually observed it running in reality.
In a nutshell, this means that attacking at the EFI layer means that you exert control of a system at a level that allows you to circumvent security controls put in place at higher levels, including the security mechanisms of the OS and applications.
In addition to the ability to circumvent higher level security controls, attacking EFI also makes the adversary very stealthy and hard to detect (it’s hard to trust the OS to tell you the truth about the state of the EFI); it also makes the adversary very difficult to remove - installing a new OS or even replacing the hard disk entirely is not enough to dislodge them.
This single stakeholder ecosystem made the job of gathering and analyzing relevant data for our research quite a bit simpler, however, we are of the belief that the main issues we have discovered are generally relevant across all vendors tasked with securing EFI firmware and are not solely Apple.In a modern system, the EFI environment holds particular fascination for security researchers and attackers due to the level of privilege it affords if compromise is successful.